Luis Medina created ZEPPELIN-2799:
-------------------------------------
Summary: Zeppelin 0.7.2 makes HTTP GET request to unsupported
endpoint /auth/login
Key: ZEPPELIN-2799
URL: https://issues.apache.org/jira/browse/ZEPPELIN-2799
Project: Zeppelin
Issue Type: Bug
Components: zeppelin-server
Affects Versions: 0.7.2
Reporter: Luis Medina
When using Zeppelin 0.7.2, it seems to be making a GET request that looks like:
{noformat}
/api/login;JSESSIONID=XXXXX
{noformat}
This causes a 405 - Method Not Allowed error on the browser when it tries to
hit that endpoint.
I've looked through the API endpoints defined for Zeppelin under the
zeppelin.rest package in zeppelin-server and the only endpoint to /api/login
that it supports uses POST.
I've tried diving into the code but can not seem to figure out why this call is
happening or where it is coming from. Here is the shiro.ini that I'm using in
case it's helpful:
{code}
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
[users]
# List of users with their password allowed to access Zeppelin.
# To use a different strategy (LDAP / Database / ...) check the shiro doc at
http://shiro.apache.org/configuration.html#Configuration-INISections
admin = password1, admin
user1 = password2, role1, role2
user2 = password3, role3
user3 = password4, role2
# Sample LDAP configuration, for user Authentication, currently tested for
single Realm
[main]
### A sample for configuring Active Directory Realm
#activeDirectoryRealm = org.apache.zeppelin.realm.ActiveDirectoryGroupRealm
#activeDirectoryRealm.systemUsername = userNameA
#use either systemPassword or hadoopSecurityCredentialPath, more details in
http://zeppelin.apache.org/docs/latest/security/shiroauthentication.html
#activeDirectoryRealm.systemPassword = passwordA
#activeDirectoryRealm.hadoopSecurityCredentialPath =
jceks://file/user/zeppelin/zeppelin.jceks
#activeDirectoryRealm.searchBase = CN=Users,DC=SOME_GROUP,DC=COMPANY,DC=COM
#activeDirectoryRealm.url = ldap://ldap.test.com:389
#activeDirectoryRealm.groupRolesMap =
"CN=admin,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"admin","CN=finance,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"finance","CN=hr,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"hr"
#activeDirectoryRealm.authorizationCachingEnabled = false
### A sample for configuring LDAP Directory Realm
#ldapRealm = org.apache.zeppelin.realm.LdapGroupRealm
## search base for ldap groups (only relevant for LdapGroupRealm):
#ldapRealm.contextFactory.environment[ldap.searchBase] = dc=COMPANY,dc=COM
#ldapRealm.contextFactory.url = ldap://ldap.test.com:389
#ldapRealm.userDnTemplate = uid={0},ou=Users,dc=COMPANY,dc=COM
#ldapRealm.contextFactory.authenticationMechanism = simple
## A sample PAM configuration
#pamRealm=org.apache.zeppelin.realm.PamRealm
#pamRealm.service=sshd
### A sample for configuring ZeppelinHub Realm
#zeppelinHubRealm = org.apache.zeppelin.realm.ZeppelinHubRealm
## Url of ZeppelinHub
#zeppelinHubRealm.zeppelinhubUrl = https://www.zeppelinhub.com
#securityManager.realms = $zeppelinHubRealm
pseudoRealm = org.apache.zeppelin.realm.PseudoRealm
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
### If caching of user is required then uncomment below lines
#cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
#securityManager.cacheManager = $cacheManager
securityManager.realms = $pseudoRealm
securityManager.sessionManager = $sessionManager
# 86,400,000 milliseconds = 24 hour
securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = /api/login
[roles]
role1 = *
role2 = *
role3 = *
admin = *
[urls]
# This section is used for url-based security.
# You can secure interpreter, configuration and credential information by urls.
Comment or uncomment the below urls that you want to hide.
# anon means the access is anonymous.
# authc means Form based Auth Security
# To enfore security, comment the line below and uncomment the next one
/api/version = anon
/api/notebook/** = anon
/api/login/** = authc
/api/interpreter/setting/restart/** = anon
/api/interpreter/** = authc
/api/configurations/** = authc
/api/credential/** = authc
#/api/credential/** = authc
/** = authc
{code}
The PseudoRealm mentioned in the file is meant so imply allow anyone to login
regardless of their password. This is defined like so:
{code:java}
package org.apache.zeppelin.realm;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.realm.Realm;
public class PseudoRealm implements Realm {
public String getName() {
return "PseudoRealm";
}
public boolean supports(AuthenticationToken token) {
return true;
}
public AuthenticationInfo getAuthenticationInfo(AuthenticationToken token) {
return new SimpleAuthenticationInfo(token.getPrincipal(),
token.getCredentials(), this.getName());
}
}
{code}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
